Operation Endgame: Authorities smash antivirus test site AVCheck
Developers of malware were able to check it on the portal for detection by antivirus software. Other malware tools are now also offline.
(Image: Dmitry Demidovich/Shutterstock.com)
Dutch, Finnish and US authorities have jointly taken further important tools of the malware industry offline. Their action was directed against AVCheck and two "Cryptor" sites for encrypting malware.
In the highly collaborative malware ecosystem, as in the legal software industry, there are specialists for every task in the development of malware. AVCheck served as a kind of "dark counterpart" to portals such as VirusTotal, where administrators and security researchers can upload malware files for examination by virus scanners and sandbox VMs. However, while VirusTotal stores every file and thus identifies an accidentally uploaded malware sample, malware authors can rely on discretion with AVCheck. The operators paid for this.
In addition to AVcheck, the "cryptors" crypt.guru and cryptor.biz are also offline. On these domains, authors of malware could have it encrypted in such a way that it is undetectable for antivirus software – another component of the so-called "Counter Antivirus" (CAV).
Videos by heise
Domains confiscated, logins redirected
As part of the international "Operation Endgame 2.0", international investigators obtained test subscriptions from the malware service providers and then struck on May 27. They also established links to known ransomware groups and placed – as is usual in such operations – confiscation banners and fake login pages on the domains of the malware tools.
Malware expert Andreas Marx categorized the successful investigations in an interview with heise security: "Portals such as VirusTotal help to quickly identify malware and enable the sharing of knowledge about malware. AVCheck.net, on the other hand, only served to optimize the malware and the attacks so that they remain undetected for as long as possible and the infected PCs can be milked for as long as possible."
In several concerted actions against the malware ecosystem, Western authorities have taken down hundreds of servers in recent weeks, seized millions of email addresses and passwords and issued search warrants for dozens of suspects.
(cku)
